Breaking the Discovery Protocols of the Enterprise of Things Barak Hadad Ben Seri Yuval Sarel CDPWN – © 2020 ARMIS, INC. Introduction 3 Who we are 4 Researching the sub-layers of the network 5 What makes a network tick? 5 Layer 2 attack surface in network appliances 6 Discovery protocols 8 Unravelling 1-days in discovery protocols 8 Finding CVE-2018-0167 (LLDP) 8 Patch-diffing the LLDP daemon versions 9 Finding CVE-2018-0303 (NX-OS and FXOS RCE in CDP) 12 Newly discovered vulnerabilities in CDP 15 CDP vulnerabilities in switches and routers 15 NX-OS Resource Exhaustion in the Addresses TLV (CVE-2020-3120) 15 IOS-XR variant of CVE-2020-3120 17 Exploitability 18 Impact 18 NX-OS Stack Overflow in the Power Request TLV (CVE-2020-3119) 18 Exploitability 20 Impact 21 IOS XR Format String vulnerability in multiple TLVs (CVE-2020-3118) 21 Exploitability 22 Impact 22 CDPwn all the things - CDP vulnerabilities in IP Phones & Cameras 23 IP Phones Stack Overflow in PortID TLV (CVE-2020-3111) 23 Exploitability 24 Impact 24 IP Cameras Heap Overflow in DeviceID TLV (CVE-2020-3110) 25 Exploitability 26 Impact 26 Conclusion 29 CDPwn – ©2020 ARMIS, INC. – 2 TECHNICAL WHITE PAPER Introduction Armis labs discovered 5 zero day vulnerabilities affecting a wide array of Cisco products, including Cisco routers, switches, IP Phones and IP cameras. Four of the vulnerabilities enable Remote Code Execution (RCE). The latter is a Denial of Service (DoS) vulnerability that can halt the operation of entire networks. As a group, CDPwn affects a wide variety of devices with at least one RCE vulnerability affecting each device type. By exploiting CDPwn, an attacker can take over organizations’ network (switches and routers), it’s telecommunication (IP Phones) and even compromise it’s physical security (IP Cameras). Dubbed CDPwn the vulnerabilities reside in the processing of CDP (Cisco Discovery Protocol) packets, impacting firmware versions released in the last 10 years and are an example of the fragility of a network’s security posture when confronted with vulnerabilities in proprietary Layer 2 protocols. The 5 vulnerabilities found are comprised of 4 remote code execution vulnerabilities: 1. Cisco NX-OS Stack Overflow in the Power Request TLV (CVE-2020-3119) 2. Cisco IOS XR Format String vulnerability in multiple TLVs (CVE-2020-3118) 3. Cisco IP Phones Stack Overflow in PortID TLV (CVE-2020-3111) 4. Cisco IP Cameras Heap Overflow in DeviceID TLV (CVE-2020-3110) And 1 Denial of Service vulnerability: 5. Cisco FXOS, IOS XR and NX-OS Resource Exhaustion in the Addresses TLV (CVE-2020-3120) This document will detail the attack surface exposed by proprietary Layer 2 protocols as well as the discovered vulnerabilities in the CDP protocol. It will also detail the severe impact these vulnerabilities have if exploited on affected devices. CDPwn – ©2020 ARMIS, INC. – 3 TECHNICAL WHITE PAPER Who we are Armis Labs is Armis’ research team, focused on mixing and splitting the atoms that comprise the IoT devices that surround us - be it a smart personal assistant, a benign looking printer, a SCADA controller or a life-supporting device such as a hospital bedside patient monitor. Our previous research includes: ● URGENT/11 - 11 Zero Day vulnerabilities impacting VxWorks, the most widely used Real Time Operating System (RTOS). The technical whitepaper for this research can be found here: ○ URGENT/11 - Critical vulnerabilities to remotely compromise VxWorks ● BLEEDINGBIT - Two chip-level vulnerabilities in Texas Instruments BLE chips, embedded in Enterprise-grade Access Points. The technical whitepaper for this research can be found here: ○ BLEEDINGBIT - The hidden attack surface within BLE chips ● BlueBorne - An attack vector targeting devices via RCE vulnerabilities in Bluetooth stacks used by over 5.3 Billion devices. This research was comprised of 3 technical whitepapers: ○ BlueBorne - The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks ○ BlueBorne on Android - Exploiting an RCE Over the Air ○ Exploiting BlueBorne in Linux-Based IoT deices CDPwn – ©2020 ARMIS, INC. – 4 TECHNICAL WHITE PAPER Researching the sub-layers of the network A network of any organization is comprised first by the endpoints that connect to it, but it also contains the devices that operate as the backbone of the network, the pipelines through which traffic is traversed - network appliances such as switches and routers. More often than not, these devices are not taken into consideration when examining the security posture of an organization even though they implement the isolation to sub-networks (a.k.a network segments - VLANs), that is the first line of defense against an attacker that is attempting to perform lateral movement, and move not only between endpoints, but also between segmented parts of the network. In this research we wish to shed light over the protocols and devices that operate the mechanics of the network, and the vulnerabilities that can arise in their implementations. What makes a network tick? A managed network should contain multiple VLANs, split by their level of trust. For example, segregating corporate devices from the Guest WiFi network or from the network containing IoT devices. The VLANs are handled by an embedded device, without inherent security to it - an enterprise network switch. By taking control of a switch an attacker can traverse between VLANs, breaking the trust zones and gaining access to valuable data, or move laterally to attack additional endpoints. By abusing a relatively vulnerable IoT device located on designated VLAN an attacker could take control of the nearby switch and jump to a mission critical VLAN of the organization. CDPwn – ©2020 ARMIS, INC. – 5 TECHNICAL WHITE PAPER Layer 2 attack surface in network appliances To accommodate both performance and security needs, network appliances have become increasingly complex implementing dozens of Layer 2 protocols to meet these requirements. These protocols allow many features that were not possible in the past, when networks were powered by simple switches or hubs. The features include network flexibility, “smart” or automatic configuration of ports and efficient network utilization. Some of the common protocols that implement these include STP, RSTP and LLDP. Many of the more advanced features of these protocols were created by Cisco - a market leader in the field of network infrastructure. Thus, the protocols are proprietary and not necessarily publicly documented and are supported only by Cisco products. These include CDP, ISL and PVST. Although these features allow better management and network utilization, they also represent an untapped attack surface that may contain vulnerabilities that allow attackers to take over network appliances and bypass network segmentation. Partial table of Layer 2 protocols used by network appliances, keyed by destination MAC address CDPwn – ©2020 ARMIS, INC. – 6 TECHNICAL WHITE PAPER While examining a Cisco Nexus switch, for example, we found that many of these Layer 2 protocols are eventually handled by software. Nexus switches are based on the NX-OS operating system which is based on Wind River Linux. The first step is to find which protocols are routed to the main CPU (the same CPU that parses user input and controls the switch configuration). After a bit of digging we found this data flow: ● Layer 2 forwarder (l2fwder) - The first process to parse incoming layer 2 packets, based on some hardware filtering of specific destination MAC addresses. It removes basic packet encapsulation and decides if the packet should be dropped or sent for more specific processing. ● mts_queue - A message queue used to send the packets between the processes. ● Protocol parser - Each protocol has its own protocol parser process. For example, the parser for CDP is cdpd. ● l2fwder supports a multitude of protocols: ○ BPDU (Bridge Protocol Data Units) ■ STP (Spanning Tree Protocol) - A network protocol that builds a loop free logical topology for Ethernet networks. ● RSTP (Rapid Spanning Tree Protocol) - Faster STP ● MSTP (Multiple Spanning Tree Protocol) - STP with VLANs support ○ LACP (Link Aggregation Control Protocol) - Allows port trunking ○ PVST+ (Per VLAN Spanning Tree) ■ RPVST+ (Rapid Per VLAN Spanning Tree) ○ CDP - Cisco Discovery Protocol ○ LLDP - Link Layer Discovery Protocol CDPwn – ©2020 ARMIS, INC. – 7 TECHNICAL WHITE PAPER ○ DTP - Dynamic Trunking Protocol ○ VTP - VLAN Trunking Protocol Layer 2 packets of the above protocols are captured on all interfaces of the switch, and not just on a switches management port, and in turn these packets are also parsed by the l2fwder process, and the specific protocols parsers as well. By obtaining a vulnerability that can lead to RCE, in any one of the parsing processes of these protocols can allow an attacker to take over a switch, regardless of the VLAN he is in. Discovery protocols For a network administrator, it’s important to understand what devices are connected to a specific LAN. For this purpose, discovery protocols were invented. They work using periodic advertising packets sent by the connected devices and stored on the switch. Two discovery protocols are commonly used: ● LLDP - Link layer discovery protocol. Widely used by network printers and other non-Cisco devices. ● CDP - Cisco discovery protocol - Cisco’s version of LLDP, enabled by default for almost
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages29 Page
-
File Size-